WhiteSource provides for the management of open source components security, licenses, and maintenance throughout a software development cycle. It identifies the open source components within a software development lifecycle with security or compliance issues. When issues are detected alerts and remediation assistance is provided. The WhiteSource plugin integrates with WhiteSource to retrieves license risks and security vulnerabilities data from WhiteSource scan results to include in an HCL DevOps Velocity metric.
WhiteSource identifies all open source components and their dependencies in software. WhiteSource secures software from vulnerabilities and enforces license policies throughout the software development lifecycle.
The WhiteSource plug-in retrieves WhiteSource scan results and displays the License Risks and Security Vulnerabilities in HCL DevOps Velocity metric displays.
WhiteSource scan results in HCL DevOps Velocity
Usage
To use the WhiteSource plugin, the plugin must be loaded and an instance created before you can configure the plugin integration. You define configuration properties in the user interface or in a JSON file.
Integration type
The WhiteSource plugin supports endpoint integration which is listed in the following table.
Endpoints
Name
Path
Method
WhiteSource Scan
wScan
Post
Invoking the plugin
To import data from the WhiteSource server, send an HTTP POST request to your endpoint.
Integration
There are two methods to integrate the plugin:
Using the user interface
Using a JSON file
Using the user interface
From the Plugins page, click Settings > Integrations > Plugins.
Under the Action column for the plugin, click Add Integration.
On the Add Integration page enter values for the fields used to configure the integration and define communication.
Click Save.
WhiteSource plugin integration
Using a JSON file
The JSON file contains the information for creating a value stream and integrating with the WhiteSource server. The following table describes the information for creating a HCL DevOps Velocity value stream map.
From a value stream page, download the value stream map. The value stream map is a JSON file used to define integrations.
Edit the JSON file to include the plugin configuration properties.
Save and upload the JSON file. This replaces the current JSON file with the new content.
View the new integration on the Integrations page.
Configuration Properties
The following tables describe the properties used to configure the integration. Each table contains the field name when using the user interface and the property name when using a JSON file.
The General Configuration Properties table describes configuration properties used by all plugin integrations.
The WhiteSource Configuration Properties table describes the configuration properties that define the connection and communications with the WhiteSource server. When using the JSON method to integrate the plugin these properties are coded within the properties configuration property.
Some properties might not be displayed in the user interface, to see all properties enable the Show Hidden Properties field.
General Configuration Properties
Name
Description
Required
Property Name
NA
The version of the plugin that you want to use. To view available versions, click the Version History tab. If a value is not specified, the version named latest is used.
No
image
Integration Name
An assigned name to the value stream.
Yes
name
Logging Level
The level of Log4j messages to display in the log file. Valid values are: all, debug, info, warn, error, fatal, off, and trace.
No
loggingLevel
NA
List of plugin configuration properties used to connect and communicate with the WhiteSource server. Enclose the properties within braces.
Yes
properties
The name of the tenant.
Yes
tenant_id
NA
Unique identifier assigned to the plugin. The value for the WhiteSource plugin is ucv-ext-whitesource
Yes
type
Product tokens
Add product tokens from whitesource on which we want to run scan
Yes
type
Project Names
Add project names within the product to make it run at project level
No
type
Custom field mapping
Add custom field mapping to map image tags with the application name for pipeline
No
type
WhiteSource Configuration Properties
Name
Type
Description
Required
Property Name
User Key
String
User Key for authentication with WhiteSource.
Yes
userKey
URL
String
The base URL of the WhiteSource API.
Yes
asocUrl
HCL DevOps Velocity User Access Key
Secure
User access key for authentication with HCL DevOps Velocity.
Yes
keySecret
JSON code example
The following sample code can be used as a template to define the integration within the JSON file for a value stream. Copy and paste the template into the JSON file Integration section and make the appropriate changes.